Security Features

Protecting the TVEM’s content and state is critical to maintaining trust in the TVEM. There are three primary features to protect the private information and enhance the security of TVEM: virtual environment isolation, rollback detection, and TVEM heartbeat.

Isolation

To ensure that no other process on the platform can read or modify memory of the TVEM, the TVEM must be isolated from the other processes on the platform. Three mechanisms are available to ensure that a TVEM is isolated from other processes on the platform: secure hypervisors, hardware virtualization, and trusted execution technology. These mechanisms are layered and work to prevent virtualization containment attacks and protect the VM in which the TVEM is operating.

The secure hypervisor is the first layer of defense which sets the VM boundaries and access privileges for all VMs on the system. The second layer is Intel VT-d hardware support for VM isolation and containment detection. The hardware features of VT-d detect and prevent any unauthorized read or write to not only the memory of the TVEM, but also I/O space owned by the VM. The final layer is Intel TXT, which can further restrict processors in a multi-processor system from accessing the TVEM preventing a rogue processor from hijacking the execution space of the TVEM. With these layered security technologies based in software and hardware, software-based attacks against the TVEM isolation become very difficult.

Rollback Detection

One of the most important security features to maintaining trust of the TVEM is rollback and state modification prevention. Rollback is when the state of the TVEM is manipulated backwards to a previous state to break encryption or weaken keys. Protecting rollback in software only is difficult; however, there are features of the system architecture that can be used for rollback and state modification detection, namely the VTN.

To protect against rollback, the monotonic counter function of the TVEM is used to determine state progression. Every time the monotonic counter is increased, the counter and all TVEMs are hashed to create an HMAC and sent along with the HMAC to the TVEM factory. The TVEM factory maintains the current count for the TVEM and verifies its states with the previous messages. If the monotonic counter is incremented forward by one, the factory signs the HMAC and sends it back to the TVEM. The TVEM stores the signed message from the factory in the SCR. If the state is ever rolled back, the counter detection will detect that the count is incorrect and flag an error. Anyone wishing to verify the state can simply request a state verification from the TVEM and verify it with the factory.

Heartbeat

A periodic heartbeat message sent from the TVEM ensures that the TVEM is operating as intended. The heartbeat is a simple message sent at a regular interval indicating that the TVEM is functioning. The heartbeat should be authenticated and include a message that proves that the TVEM is operating.

The unexpected absence of a heartbeat is cause for alarm as this is an indication of several undesirable events. The absence of the heartbeat could indicate benign system problems such as a power or communication outage, to more serious issues such as attacks against the TVEM. Attacks that can be detected by the heartbeat absence include denial of service attacks or malicious suspension, which could indicate more serious attacks against the TVEM such as memory inspection and modification attacks.

5.7 Discussion

The TVEM provides many advantages over a VTPM in a cloud computing environment. The management of TVEM from the TVEM factory provides the ability to control and monitor TVEMs in a VTN and provides enhanced situational awareness to the information owner. The TVEM also provides system designers and information owners support for everything from simple single purpose applications to full operating systems. The virtual environment specific functions enable ease of use, and the modular design enables flexibility for deployment. The TVEM’s dual rooted keys provide cloud environments security and trust that is separated from the host platform.

TVEM configurability is another advantage over VTPMs. By allowing information owners to customize their protection requirements, they have flexibility to use cloud computing services that were previously unavailable.

5.7.1 Security

TVEMs provide strong cryptographic support for securing a virtual environment on a cloud host platform. The unique dual rooted key structure provides flexibility to maintain trust in the virtual environment and allows information owners to control the confidentiality of their data on the host platforms.

A TVEM can be trusted to report host and virtual environment configurations securely as long as it is operating on a platform that is trusted by the information owner to provide the secure hypervisor, VT-d and TXT mechanisms that ensure isolation and protection for the TVEM. Once the TVEM is launched, it will report to the TF with the heartbeat and rollback protection mechanisms. These messages are verified by the TF

ensuring proper operation of the TVEM. The TVEM is constantly monitored by the TF through the messages ensuring that any corruption of the TVEM is detected.

TVEM improves security in our three example applications by ensuring that the environments are executing on a trustworthy platform, ensuring the environments are correctly configured, providing trusted storage for keys and other sensitive information, and providing a high entropy source for random number generation.

For the virtual web server, the TVEM provides secure storage of server certificates. As the RTS, the TVEM protects the server SSL and EV certificates by encrypting the keys with a unique SRK and storing them in persistent non-volatile memory. For stronger protection, the TVEM can bind the keys to the configuration of the host platform and/or virtual environment.

The cloud datacenter uses the TVEM to verify configuration information about the virtual servers of the datacenter. Through the PCR shadow registers, the configuration of the host platform can be determined. The TVEM provides security in the cloud datacenter by protecting private information with the SRK. The dual rooted TEK allows the information owner to control access to the information protect by the TVEM and revoke the TEK if necessary to protect the information.

The CVD uses the TVEM to verify its configuration on a remote machine through the VECR. The shadow PCRs allows the CVD owner to query the configuration of the user’s computer and decide on the trustworthiness of the machine. Through the TVEM secure storage, the CVD can encrypt and store the network access keys, user identification keys, and other information the desktop owner wishes to be protected.

It is important to remember that TVEMs are not designed to defend against hardware based attack. TVEMs are software devices and any attacker with access to certain ports (e.g., IEEE 1394 FireWire), hardware monitoring devices, emulation and debug equipment, or memory inspection equipment can circumvent the TVEM’s security. Since hardware attacks cannot be detected or defended against, physical security of cloud datacenters is of utmost importance.

Another type of attack that TVEM cannot defend against is a dishonest host or service provider. The information owner is at the mercy of the service provider to provide the services agreed upon in a service agreement. If the host platform lies and falsely reports its attestation values to the TF, the TF has no basis for challenging the integrity of the platform. To prevent the dishonest host, social trust must be used as it is likely that once it is detected that the hosts is falsely reporting, word of the dishonesty will be spread through the community and the service provider’s reputation will diminish.